Windows ssh: Permission denied (publickey)

Question

I am trying to ssh to the remote client using a public key but I keep getting the permission denied (publickey) error and can't solve it. I have tried all the other solutions online, but it still won't work. I have replaced some information with * and ip_add. How do I resolve this issue?

    PS C:\WINDOWS\system32> ssh -v -i C:/Users/*/.ssh/id_rsa administrator@ip_add
    OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
    debug1: Connecting to ip_add [ip_add] port 22.
    debug1: Connection established.
    debug1: identity file C:/Users/*/.ssh/id_rsa type 0
    debug1: key_load_public: No such file or directory
    debug1: identity file C:/Users/*/.ssh/id_rsa-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.6
    debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
    debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to ip_add:22 as 'administrator'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qjxnj9GZZ6kvey+qvHsEoJYnLTz4N82DtnmFMjRlrq8
    debug1: Host '192.168.1.135' is known and matches the ECDSA host key.
    debug1: Found key in C:\\Users\\*/.ssh/known_hosts:2
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey after 134217728 blocks
    debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: RSA SHA256:+ymSxB9gd+AJe9wYj0WgW70Qk+x4fWxEQhk1JCQyKWE C:/Users/*/.ssh/id_rsa
    debug1: Authentications that can continue: publickey
    debug1: No more authentication methods to try.
    administrator@ip_add: Permission denied (publickey).

Answer 1

Another issue I haven't seen documented or mentioned elsewhere relates to the file format of authorized_keys file which needs to be UTF8 (without BOM).

I was creating this file as part of my automation process using

echo "<my_pub_key" > ~/.ssh/authorized_keys

This creates a UTF16-BOM file type which is read by Windows OpenSSH and you see the public key in the log file but it will not match the private key.

The solution was to IO.File which uses UTF8 by default

[IO.File]::WriteAllLines(~\.ssh\authorized_keys, "<my_pub_key")

I hope this helps someone else, check your authorized_keys file format, it had me completed stumped for many hours

Answer 2

I got this same error and searched around for quite a while, changed the permission on my private key, created a new non-admin user to connect with, tried a few other things. Followed these links (among others):
https://geekrewind.com/how-to-set-up-ssh-key-login-with-windows-11/
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

For me, the issue was I had created my keypair using puttygen and OpenSSH on Windows didn't like the format of my PUBLIC key (I had already exported the private key to .pem format).

In my authorized_keys file, the original format was:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "xxxx"
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
---- END SSH2 PUBLIC KEY ----

changed it to:

ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

all on one line, no line breaks, no comment, and everything worked fine.

I know this is an old thread, but hopefully this helps someone.

Answer 3

A file or directory with a name that starts with '.' in Unix/Linux is hidden, but in Windows it is not. .ssh is a regular file or directory name. It may be hidden, but then you have to set the hidden attribute, for instance with the command attrib +h .ssh Also, there is no need to specify -i identityfilename as it defaults to C:\users\<user>\.ssh\known_hosts The log you show also confirms the host "ip_add" is found in that file. I would say the keys don't match. Easiest way to solve is to remove the line with the host name or IP address "ip_add" (with notepad or any text editor) and just repeat ssh -v administrator@ip_add. Provided the host with that name or address exists, this will prompt you

The authenticity of host 'ip_add (192.168.1.135)' can't be established.
ECDSA key fingerprint is SHA256:JxuqbzMam5Mgpa52B+xUsSd/3F6kb+yghZKnDX6ipQU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

and when you respond with yes the host will be added to the known_hosts file again, this time with a correct fingerprint. And the connection should be established.

Answer 4

I recently encountered a similar problem on Windows 10 and found the root cause (sort of) and the solution. My tool chain involved was: Visual Studio 2019 with git using ssh protocol and a key pair Sourcetree also using git A private bitbucket server.

My scenario was this: I installed Visual Studio 2019 with git using ssh protocol with my key pairs and was using it successfully, and then I installed Sourcetree (to get hunk commits instead of whole file commits) and Sourcetree worked but Visual Studio no longer could use git sync/commits.

The key to solving the problem was adding this environment variable: GIT_SSH_COMMAND=ssh -vvv

After restarting Visual Studio I could then get verbose information about the ssh failure using git.

The important debug output was this: debug1: send_pubkey_test: no mutual signature algorithm

This is when I realized that something was incompatible between my key pair and bitbucket server ssh algorithm. I did not diagnose the exact problem (which I believe is due to obsolete RSA keys) but instead I simply created a new key pair using: ssh-keygen -t ed25519 then uploaded to the bitbucket server and "bob's your uncle"

12 hours to find, 2 minutes to fix.

Answer 5

this is a late answer but I had the same issue

Windows can't see hidden things

First thing (but has nothing to do with the problem) : avoid the Power Shell(it is too powerful), use a simply CMD or best use the Git Bash (https://gitforwindows.org/)

Second, your syntax is almost OK, but you placed the keys in hidden folder C:\Users\yourname\.ssh\id_rsa and you should place it in a folder that is not hidden like this C:\Users\yourname\ssh\id_rsa and then you can access it like this :

C:\WINDOWS\system32> cd C:\Users\yourname\

C:\Users\yourname/> ssh <user>@<ssh_server> -p 22 -i ~/ssl/id_rsa

Where do you know?

debug1: No more authentication methods to try.

means definitively that you have not the same keys on your host and on remote , or there is a key here and no key there (or combinations of this) it has checked them all and says that "there are NO MORE keys to try". You must place the same keys on both places in a way the system can read them. You pay attention to this 2 lines:

debug1: identity file C:/Users/*/.ssh/id_rsa type 0 
debug1: key_load_public: No such file or directory

he was not able to read the key in the local hidden folder. So ... by moving it in a not hidden folder it will work.